fix: issue where map owner authed via API key could not publish marke…

…rs on own map
M-Media-Group · Apr 13, 2024 · 97ac43e · 97ac43e
1 parent a882d1c
commit 97ac43e
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/app/Policies/MarkerPolicy.php b/app/Policies/MarkerPolicy.php
@@ -55,12 +55,12 @@ public function create(?User $user, Map $map, $token = null)
         if ($map->users_can_create_markers == 'yes') {
             return true;
         }
-        if ($map->users_can_create_markers == 'only_logged_in') {
-            return $user && $user->hasVerifiedEmail() && $user->can('create markers');
-        }
         if ($user && $map->user_id == $user->id) {
             return true;
         }
+        if ($map->users_can_create_markers == 'only_logged_in') {
+            return $user && $user->hasVerifiedEmail() && $user->can('create markers');
+        }
         // If the user is a member of the map and has the `can_create_markers` permission, they can create markers
         if ($user && $map->users->contains($user) && $map->users->find($user->id)->pivot->can_create_markers) {
             return true;

diff --git a/tests/Unit/MarkerTest.php b/tests/Unit/MarkerTest.php
@@ -224,6 +224,37 @@ public function testCreateMarkerOnPrivateMapWithPermission()
         $response->assertStatus(201);
     }
 
+    /**
+     * Test creating a marker on an unlisted map whre only_logged_in users can create markers, as the map owner.
+     *
+     * @return void
+     */
+    public function testCreateMarkerOnUnlistedMapWithPermission()
+    {
+        $mapOwner = User::factory()->create([
+            'email_verified_at' => now(),
+        ]);
+
+        $mapOwner->givePermissionTo('create markers');
+
+        $map = new \App\Models\Map();
+        $map->privacy = 'unlisted';
+        $map->users_can_create_markers = 'only_logged_in';
+        $map->user_id = $mapOwner->id;
+        $map->save();
+
+        $this->actingAs($mapOwner, 'api');
+
+        $marker = Marker::factory()->make();
+        $marker['category_name'] = 'Test Category';
+        $marker['lat'] = 40.139;
+        $marker['lng'] = 44.139;
+
+        $response = $this->postJson('/api/maps/' . $map->uuid . '/markers', $marker->toArray());
+
+        $response->assertStatus(201);
+    }
+
     /**
      * An invited user without the `can_create_markers` permission should not be able to create a marker on a private map
      *